Valve has posted an article outlining security and trading on their Steam platform, part of that involved how many Steam accounts are stolen every month.
Since introducing trading, Steam accounts being stolen has been the number one complaint of Steam users and increased twenty-fold compared to pre-trading days.
We see around 77,000 accounts hijacked and pillaged each month. These are not new or naïve users; these are professional CS:GO players, reddit contributors, item traders, etc. Users can be targeted randomly as part of a larger group or even individually. Hackers can wait months for a payoff, all the while relentlessly attempting to gain access. It’s a losing battle to protect your items against someone who steals them for a living.
So what can you do to prevent your account being one of the 77,000 affected accounts? Well not a lot if you read in to Valve’s announcement but you can make it difficult for hackers. Two-factor Authentication is one additional step you can take to protect your Steam Account. However, part of keeping your Steam account secure is making sure machines you access the Steam client and websites are also secure.
Steam does have its own two-factor authentication app for iOS and Android, but a lot of Steam users have not applied the extra level of protection on their accounts partially due to this limitation of not being available for all mobile devices (Windows Phone, Blackberry etc.) and not using something like Google Authenticator which a lot of people already have for other services. Valve tries to explain their reasoning behind this step of creating their own system:
We needed to create our own two-factor authenticator because we need to show users the contents of the trade on a separate device and have them confirm it there. Requiring users to take a code from a generic authenticator and enter it into a hijacked PC to confirm a trade meant that hackers could trick them into trading away items they didn’t intend to. This basically made it impossible to use a generic third party authenticator, such as Google Authenticator, to confirm trades.
As people aren’t securing their Steam accounts for whatever reason, Valve is bringing in new measures to protect against unauthorised trades.
- Anyone losing items in a trade will need to have a Steam Guard Mobile Authenticator enabled on their account for at least 7 days and have trade confirmations turned on. Otherwise, items will be held by Steam for up to 3 days before delivery.
- If you’ve been friends for at least 1 year, items will be held by Steam for up to 1 day before delivery.
- Accounts with a Mobile Authenticator enabled for at least 7 days are no longer restricted from trading or using the Market when using a new device since trades on the new device will be protected by the Mobile Authenticator.